mkli's picture

Coming out of the summer break we already had several very interesting sessions in our product team and with customers. We discussed approaches and capabilities for GRC platforms. So I suddenly felt the need to draw for myself a new overview how everything belongs together. There will be some new things that need to be fitted into the picture. 

How everything belongs together

Where we still see room for improvement is the way how risks are identified - still the main driver is  the one or other regulatory issue. This approach invariably leads to the question: "What control library should I use?" I try to encourage to break down business objectives first to identify the risks that are really endangering the success of a company - that may be but also not be regulatory risk.

One of the new things I had to fit into the picture is Bow Tie Modeling. With the next ARIS service release we expanded our modeling methodology to support this approach which allows to analyze a risk scenario in depth without loosing yourself in too much detail. Especially in risk intensive businesses like energy providers this risk analysis and description methodology has become more and more popular. The success of this diagram lies in its clear structure and simplicity which is easy for the non-specialist to understand, but still has sufficient depth for an expert discussion. The basic idea is to combine the cause (threats) with the consequence via the risk event. The diagrams main strength lies in scenarios where clear, independent paths lead to the occurrence of a risk event or consequence. They focus on controls to be established and thus form the basis for actively managing the risk situation.

I made a small example to show you how it could look like:

bow tie model - demo

I'm convinced that Bow Tie modeling will offer our customers risk officers a great new way to make their risk scenarios understood by management.

As usual I appreciate any ideas and comments on this - we will elaborate on some other "new things" in the next weeks.

Tags: GRC